Comments (4)
gkunz
commented on May 30, 2024
Below is a scan result of the current state of the repo:
Low hanging fruits seem to be
- addition of a SECURITY.MD file,
- branch protection settings,
- enabling CodeQL
Results:
{
"date": "2024-03-22T15:13:49+01:00",
"repo": {
"name": "github.com/Ericsson/ove",
"commit": "59c23e6d1b3425a8de7e72ad8ee735a8a0d0bf23"
},
"scorecard": {
"version": "(devel)",
"commit": "unknown"
},
"score": 3.8,
"checks": [
{
"details": null,
"score": 10,
"reason": "no binaries found in the repo",
"name": "Binary-Artifacts",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts",
"short": "Determines if the project has generated executable (binary) artifacts in the source repository."
}
},
{
"details": [
"Warn: branch protection not enabled for branch 'master'"
],
"score": 0,
"reason": "branch protection not enabled on development/release branches",
"name": "Branch-Protection",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection",
"short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
}
},
{
"details": null,
"score": -1,
"reason": "no pull request found",
"name": "CI-Tests",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests",
"short": "Determines if the project runs tests before pull requests are merged."
}
},
{
"details": null,
"score": 0,
"reason": "no effort to earn an OpenSSF best practices badge detected",
"name": "CII-Best-Practices",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices",
"short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
}
},
{
"details": null,
"score": 0,
"reason": "found 30 unreviewed changesets out of 30 -- score normalized to 0",
"name": "Code-Review",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review",
"short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged."
}
},
{
"details": [
"Info: ericsson contributor org/company found, "
],
"score": 3,
"reason": "project has 1 contributing companies or organizations -- score normalized to 3",
"name": "Contributors",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors",
"short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
}
},
{
"details": null,
"score": -1,
"reason": "no workflows found",
"name": "Dangerous-Workflow",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow",
"short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
}
},
{
"details": [
"Warn: tool 'RenovateBot' is not used",
"Warn: tool 'Dependabot' is not used",
"Warn: tool 'PyUp' is not used"
],
"score": 0,
"reason": "no update tool detected",
"name": "Dependency-Update-Tool",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool",
"short": "Determines if the project uses a dependency update tool."
}
},
{
"details": [
"Warn: no OSSFuzz integration found",
"Warn: no GoBuiltInFuzzer integration found",
"Warn: no PythonAtherisFuzzer integration found",
"Warn: no CLibFuzzer integration found",
"Warn: no CppLibFuzzer integration found",
"Warn: no SwiftLibFuzzer integration found",
"Warn: no RustCargoFuzzer integration found",
"Warn: no JavaJazzerFuzzer integration found",
"Warn: no ClusterFuzzLite integration found",
"Warn: no HaskellPropertyBasedTesting integration found",
"Warn: no TypeScriptPropertyBasedTesting integration found",
"Warn: no JavaScriptPropertyBasedTesting integration found"
],
"score": 0,
"reason": "project is not fuzzed",
"name": "Fuzzing",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing",
"short": "Determines if the project uses fuzzing."
}
},
{
"details": [
"Info: FSF or OSI recognized license: LICENSE:1",
"Info: License file found in expected location: LICENSE:1"
],
"score": 10,
"reason": "license file detected",
"name": "License",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#license",
"short": "Determines if the project has defined a license."
}
},
{
"details": null,
"score": 10,
"reason": "30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10",
"name": "Maintained",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained",
"short": "Determines if the project is \"actively maintained\"."
}
},
{
"details": [
"Warn: no GitHub/GitLab publishing workflow detected."
],
"score": -1,
"reason": "packaging workflow not detected",
"name": "Packaging",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging",
"short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
}
},
{
"details": [
"Info: Possibly incomplete results: error parsing shell code: ternary operator missing ? before :: ove:0"
],
"score": -1,
"reason": "no dependencies found",
"name": "Pinned-Dependencies",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies",
"short": "Determines if the project has declared and pinned the dependencies of its build process."
}
},
{
"details": [
"Warn: no pull requests merged into dev branch"
],
"score": 0,
"reason": "no SAST tool detected",
"name": "SAST",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast",
"short": "Determines if the project uses static code analysis."
}
},
{
"details": [
"Warn: no security policy file detected",
"Warn: no security file to analyze",
"Warn: no security file to analyze",
"Warn: no security file to analyze"
],
"score": 0,
"reason": "security policy file not detected",
"name": "Security-Policy",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy",
"short": "Determines if the project has published a security policy."
}
},
{
"details": null,
"score": -1,
"reason": "no releases found",
"name": "Signed-Releases",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases",
"short": "Determines if the project cryptographically signs release artifacts."
}
},
{
"details": null,
"score": -1,
"reason": "no tokens found",
"name": "Token-Permissions",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions",
"short": "Determines if the project's workflows follow the principle of least privilege."
}
},
{
"details": null,
"score": 10,
"reason": "0 existing vulnerabilities detected",
"name": "Vulnerabilities",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
"short": "Determines if the project has open, known unfixed vulnerabilities."
}
}
],
"metadata": null
}
from ove.
gkunz
commented on May 30, 2024
I set a very basic repository rule which only prevents force pushes. I didn't enable "require PRs" yet, given that this is primarily a single-developer project. Let me know, if I should enable this.
I also checked the language support of CodeQL and shell scripts are not supported. Thus, I won't enable CodeQL.
from ove.
mtempling
commented on May 30, 2024
I set a very basic repository rule which only prevents force pushes.
Ok.
I didn't enable "require PRs" yet, given that this is primarily a single-developer project. Let me know, if I should enable this.
Agreed. Let's wait with that setting.
I also checked the language support of CodeQL and shell scripts are not supported. Thus, I won't enable CodeQL.
Ok.
from ove.
gkunz
commented on May 30, 2024
Completed the adoption of identified actions. Closing this issue.
from ove.
Related Issues (1)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ove.